tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Morelock <>
Subject Re: Security problem?
Date Fri, 07 Jun 2002 08:52:00 GMT
On 6/7/02 1:47 AM, "Laura" <> wrote:

> Hi all,
> it might be that I have a security problem and you should tell me if I am
> right. 
> Well, I have a server with an ecommerce application: an user can buy
> something a when he has to pay the servlet of the web application executes a
> redirect to my servlet (in a different server) passing me the sum of money
> that the user has to pay.
> Could the user change the sum of money?

Yes.  I mean, yes I think so -- but you haven't described the redirect.

>Is redirect secure?

No.  A redirect is literally that.  It "redirects" the client to send its
request to a different server/page/whatever.  This means a cracker could
simply set up a system whereby they don't respond to redirects.  Instead,
they take the information that should be redirected and they alter it in
some way, and then just send a request to your second server.

To see a redirect in action, telnet to your webserver's port and request a
page that uses a redirect.  All it says is "content moved", a response code,
and the "new location" of the content.  The client at this point normally
sends the same request to the new location.  If I am wrong here, someone
please correct me.
> What do you think?

Bad idea.
> If yes how I can solve the problem?

Dunno how you can do it this way without security problems.  If you're not
keeping track of state, you are in trouble.  Clients cannot be trusted.
> Thanks for your help
> Laura
> --
> To unsubscribe, e-mail:   <>
> For additional commands, e-mail: <>

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message